CN1661503B - Control system - Google Patents

Control system Download PDF

Info

Publication number
CN1661503B
CN1661503B CN2004101033901A CN200410103390A CN1661503B CN 1661503 B CN1661503 B CN 1661503B CN 2004101033901 A CN2004101033901 A CN 2004101033901A CN 200410103390 A CN200410103390 A CN 200410103390A CN 1661503 B CN1661503 B CN 1661503B
Authority
CN
China
Prior art keywords
master controller
fieldbus
bus master
control system
control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2004101033901A
Other languages
Chinese (zh)
Other versions
CN1661503A (en
Inventor
莱纳·埃斯奇
斯蒂芬·霍恩
约翰尼斯·卡尔霍夫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Phoenix Contact GmbH and Co KG
Original Assignee
Phoenix Contact GmbH and Co KG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=34428793&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=CN1661503(B) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Phoenix Contact GmbH and Co KG filed Critical Phoenix Contact GmbH and Co KG
Publication of CN1661503A publication Critical patent/CN1661503A/en
Application granted granted Critical
Publication of CN1661503B publication Critical patent/CN1661503B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40006Architecture of a communication node
    • H04L12/40013Details regarding a bus controller
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40006Architecture of a communication node
    • H04L12/40019Details regarding a bus master
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/22Pc multi processor system
    • G05B2219/2225Communication, CPU accesses own I-O and next CPU over dual port memory
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25014Fieldbus general name of bus connected to machines, detectors, actuators
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25174Ethernet
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25431Dual Port memory

Abstract

Control system for controlling safety-critical processes with communication over a field bus. The inventive system has the control unit integrated in the interface module, i.e. the multi-port memory interface of the bus master. Thus it is not directly connected to the field bus and can insert fail-safe data without a security protocol relevant interpretation in the field bus frames prior to transfer of the data to the signal unit.

Description

Control system
Technical field
Present invention relates in general to a kind of control system that is used for Control Critical safe handling process, relate in particular to a kind of control system by field bus communication.
Background technology
For many years, field bus system has been applied in the automation field more and more continually, and described field bus system is connected to input-output apparatus and Advanced Control Equipment.An example like this is based on the interbus of EN 50254 standards.
Such field bus system typically comprises and is connected to a plurality of signal elements or the multibus user who wants controlled processing procedure, and comprises one by the bus master controller (bus master) of fieldbus utilization " fieldbus message " control based on frame traffic.
Owing to can save copper cash, field bus system allows the complicacy of cable distribution significantly to reduce.Yet design serial Evaluation in Field Communication Systems has run into the problem that associated safety needs.So as an example associated safety function can be that hold function or permission field bus system enter a kind of emergency episode closing function of safe condition.
In the field bus system in early days, the required control signal of this purpose is transmitted respectively by the circuit of separation rather than by fieldbus itself between controller and bus user.
Other known solutions relate to all devices that the redundancy that is used for by certain appropriate level is carried out the safe kinetic energy that is designed.DE 40 32 033 A1 relate to this respect, and for example it discloses a kind of electronic automatic control system (being used for technical equipment) of the design of partial redundance at least.In this system, the associated safety signal repeatedly triggered and at least two separate signal paths the user to the partial redundance at least of analyzing the associated safety signal send.
DE 37 06 325 C2 have described a kind of control and data network, and wherein in order to communicate each other, associated safety equipment is connected to an independent emergency episode to be stopped on the control line.
These known technologies have the shortcoming of following, and they need a large amount of redundant elements or need parallel signal line in order to send additional control signal.
Patent DE 197 42 716 C2 disclose a kind of control and data transmission set, wherein associated safety feature can pass through the fieldbus mutual communication, and each output is connected to a bus interface devices by a switch, and is directly connected to the associated safety feature of each bus user and/or a main control unit.
Although these equipment have had the advantage of utilizing fieldbus to realize security control, the present invention who describes below will further improve.
Proposed another among patent DE 199 28 517 C2 and be used for the control system of Control Critical safe handling process, one of them security control unit is connected to fieldbus.Yet there is shortcoming in many aspects in this system.
The message data that is addressed to a signal element must at first be generated, and must be replaced by anti-failure message by security control unit then again.This process looks like inefficient.
In addition, data can only be transmitted between bus master controller and security control unit by the fieldbus that activates, so control module can be realized handling.Have only that this communication just might realize when fieldbus is activated, this is disadvantageous.
And the transmission by fieldbus is quite slow, even diagnose option is arranged, it also can not utilize under very large restriction.
Summary of the invention
Therefore the present invention is based on such purpose: improve the control system that is used for the criticality safety processing procedure, can realize high efficiency communication between security control unit and the bus master controller.
Another object of the present invention provides a kind of control system that can realize improved diagnosis and reaction option, especially when making a mistake incident.
Another object of the present invention provides a kind of control system that can guarantee high level of security.
Another goal of the invention of the present invention provides a kind of control system that can avoid above-mentioned shortcoming, utilization can be in system simple and at an easy rate the ability of integrated associated safety equipment increase the dirigibility of this system.
Purpose of the present invention only just can realize with surprising plain mode by the subject content of independent claims.Further advantage of the present invention limits in the dependent claims.
Consistent with the present invention, be used for the control and the data transmission system of Control Critical safe handling process and comprise a fieldbus, serial fieldbus especially is connected to fieldbus and controls the bus master controller of communicating by letter by fieldbus with one.
Native system also comprises at least one safety signal unit or a safety bus user, and during operation, it is by the link of I/O passage or be connected at least one criticality safety processing procedure.
Preferably, system comprises a plurality of signal elements, particularly safety and non-safety signal unit.The safety signal cell link is to the criticality safety processing procedure, and non-safety signal cell link is to non-safe handling.
In addition, bus master controller and signal element interconnect, and is especially connected in series by fieldbus.The fieldbus cycle between bus master controller and the signal element that is used for realizing communicates by letter or messaging service.
And, comprising a safety first control module, especially integrated safety governor is used for Control Critical safe handling process.For such purpose, each all has associated safety feature safety signal unit and security control unit.
This just provides anti-fault communication for Control Critical safe handling process.Those skilled in the art are very clear, and absolute anti-fault is impossible realize, therefore anti-fault communication is understood that to compare with insecure communication the communication that guarantees to have increased preventing failure.
Consistent with the present invention, security control unit or safety control, especially the associated safety feature in the security control unit, be independent of fieldbus or be not connected to bus master controller by fieldbus, and be independent of fieldbus and described bus master controller communicates, especially two-way communication.
Because first control module is not directly connected to fieldbus, but be connected to bus master controller, preferably directly be connected to bus master controller by means of first interface.Anti-fault data can send to bus master controller from first control module by first interface, preferably existing " multiport storage interface ".This interface can comprise one or more Ethernet interfaces, especially fastethernet interface.
Then, for data are sent to signal element, bus master controller will prevent that fault data is inserted in the total frame of fieldbus message or field bus communication.Therefore, the associated safety data are sent to the appropriate signal unit at data Layer, thereby make that original unsafe bus protocol is " safety " at data Layer.
Communication by multiport storage interface parallel or non-serial between security control unit and the bus master controller becomes more efficient and is easy to burden, as example, than more diagnose option is arranged by field bus communication.
In other words, security control unit produces towards the agreement of security and sends it to bus master controller.Communication on the fieldbus is processed then, especially by bus master controller, will be as user data directly and/or do not have special-purpose associated safety function to be inserted in the fieldbus message towards the agreement of security, and be sent to the safety signal unit.
Therefore,, adopted antipodal method, just directly security control unit has not been connected to bus master controller by fieldbus with the solution comparison among file DE 199 28 517 C2.Thereby the present invention has avoided the shortcoming in the said system.
Obviously the present invention does not allow similar DE 199 28 517 C2 by security control unit being connected to fieldbus to the improvement that an existing control system realizes easily, this means the impression that may obtain comparatively speaking to make retrogress at first blush.
Yet, may it is shocking for a person skilled in the art, can obtain other principal advantages by this solution considerably beyond existing shortcoming.
Especially, make and more firmly between security control unit and bus master controller become possibility with communicating by letter more fast.
Therefore, according to a specific embodiment of the present invention, connect by an Ethernet, especially the Fast Ethernet with matched interfaces connects, and connects between security control unit and bus master controller.
And the practical communication between control module and the bus master controller is safe.
In addition, be possible to the flexible response of mistake to a certain extent.Be not that each mistake all can directly cause system to be cut off, if predetermined mistake takes place, system can utilize an emergency program to proceed operation.
This method and fieldbus or network are irrelevant, therefore make the safety engineering system more efficient and safer than the control system of previously known.
In by the transmission of fieldbus based on frame, as an example, for data are sent to signal element, bus master controller will prevent that fault data is inserted into the fieldbus frame from security control unit.
The communication that is independent of fieldbus between this security control unit and the bus master controller has many advantages simultaneously.
At first, advantageously, when the communication by fieldbus did not start, the exchanges data between security control unit and the bus master controller also can take place.For example this can be used to make security control unit control bus master controller, makes the latter only when the predetermined function of a security control unit, safe operation condition for example, and (can only after) begins operation in the time of definite.
As an example, completed successfully a self-test up to security control unit, bus master controller is just started working.Self-test begins to carry out when security control unit starts (" startup "), especially automatically performs.Preferably bus master controller is invalid or be switched to not operable state, for example a reset mode by security control unit during detecting certainly.
Alternatively or in addition, bus master controller can similarly be carried out one from detecting after starting, and that is to say especially at control module after detection, this means that the security of system has further been strengthened.
In other words, in first control module and/or bus master controller after detection completes successfully certainly, bus master controller just can switch to an operating conditions.The effect that is reached is if bus master controller or security control unit are out of order, and in fact the communication by fieldbus can't start.Further advantage is to have only that bus master controller just starts when first control module starts.
Preferably, the bus master controller and first control module are by the interconnected independent parts of primary scene bus stand-alone interface.According to a preferred embodiment, bus master controller is communicated by letter by an Ethernet protocol with first control module.Especially, Ethernet or Fast Ethernet connect and make first control module and/or bus master controller be integrated in another the existing or network that will set up and become possibility.Equally, compare,, especially utilize the Fast Ethernet may be faster by Ethernet protocol communication with common fieldbus.
The serial fieldbus is interbus preferably, and bus master controller is standard G4 bus master controller preferably, that is to say a non-safety bus master controller based on EN 50254 standards.
As mistake described above, such G4 bus master controller has one " multiport storage interface " that be used for security control unit is connected to bus master controller.Therefore, the data transmission between bus master controller and security control unit be by may comprising also that the multiport storage interface of an Ethernet interface carries out, rather than undertaken by fieldbus.
In this case, especially first control module provides security control data and security protocol for secure communication, and security control data and security protocol are sent to bus master controller.Bus master controller is not especially done any change to these information successively with security control data and security protocol, is inserted in the correct fieldbus message as user data.In order to be connected to fieldbus, bus master controller has second interface that is used for sending by fieldbus data, and first and second interfaces are preferably isolated mutually.
The characteristic optimization ground of above-described system allows to use the common non-safety bus controller of a standard, is used for various associated safety controllers.
According to a further advantageous embodiment of the invention, fieldbus is designed as an industry ethernet, especially advantageously as a Fast Ethernet bus.Utilize such bus, very high data transfer rate-approximately can reach 100Mbit/s-by the Fast Ethernet transmission can realize.A further advantage especially is easy to be integrated in the existing network.
Another is preferential, and to select be that security control unit is connected to the upstream bus master controller of fieldbus in one embodiment, this means that the associated safety data are handled in advance.
According to special preferred the selection, bus master controller and security control unit are integrated in the common interface module.In other words, the safety engineering system that provides by security control unit is integrated in the bus master controller interface.This just allows especially security control unit testing software in comprising the interface module of bus master controller, and has only the control that starts security control unit or criticality safety processing procedure when test result when being sure.Bus master controller can be controlled by security control unit for this reason.
Interbus is by periodically executive communication of fieldbus.Preferably, each cycle is divided into a processing cycle and the bus cycles in security control unit, and data send to signal element by fieldbus in the bus cycles.Another preferential selection is that processing cycle and bus cycles continuous synchronization ground are carried out.
Because many application relate to the multiple processing of control, and processing procedure also comprises non-critical safe handling process, therefore system preferably not only comprises security control unit but also comprises at least one second non-security control unit, is used for non-critical safe handling process is carried out non-security control.This non-security control preferably also takes place synchronously.
In this case, bus master controller is for example communicated by letter with second control module with one the 3rd interface, and first, second and/or the 3rd interface are each self-separations between mutually.About this point, can be first and second control modules mutually between swap data preparation is provided, especially, if suitably, when bus master controller is invalid.The 3rd interface also comprises an Ethernet interface, and it preferably for example is used for the fastethernet interface that communicated by the Ethernet protocol and second control module by a bus master controller.In addition, if first control module has also disposed an Ethernet interface, second control module is connected mutual communication with first control module by an Ethernet.
The reason that the present invention has special advantage is: under predetermined condition precedent, still can proceed operation even there is fault system to occur.As example, at least two operating conditionss of best definition, i.e. the first safe operation condition and second operating conditions, wherein the level of security of second operating conditions is lower than the level of security of first operating conditions.Second operating conditions for example is an emergency running program.When predetermined safe information is provided, relate to the system that is transformed into second operating conditions by security control unit.
On the other hand, predetermined safe information can be sent by the safety signal unit by fieldbus, and is analyzed by security control unit.If security control unit defines a fault, just system is transformed into second operating conditions.
On the other hand, alternatively, predetermined security information also can produce in security control unit itself.As an example, security control unit has at least two processors (CPU), and they are harmonious mutually in order to increase level of security.If one in two processors is broken down, system still can continue operation under than the lower security rank at one, just under second operating conditions.For example, this utilizes an emergency operator scheme with regard to the permission system, and the operator scheme of certain hour restriction is especially arranged, and the system that makes can stop under control, and perhaps an out of order element can be replaced in the very first time that changes switching.
For avoiding under second service condition operation enduringly, control system by first control module automatically invalid or switch to one can not running status, preferably after the preset time period expires.
The invention still further relates to the security control unit that in control system of the present invention, uses, and the interface module with bus master controller and security control unit.
The present invention obtains more detailed explanation by following exemplary specific embodiment and with reference to the accompanying drawings.
Description of drawings
In the accompanying drawing:
Fig. 1 shows the signal synoptic diagram of control system of the present invention;
Fig. 2 shows the block diagram of control system of the present invention;
The synoptic diagram in a plurality of cycles when Fig. 3 shows and transmits by interbus;
Fig. 4 shows the more detailed synoptic diagram in interbus cycle among Fig. 3.
Embodiment
Fig. 1 shows the control system 1 with a bus master controller 2, and bus master controller 2 is by fieldbus 4 controls and communicating by letter that a plurality of signal elements are carried out, and a plurality of signal elements also are called bus user.
Signal element comprises safe and non-safety signal unit 5,7, safety signal unit 5 is controlled by a control module 8 (abbreviating security control unit 8 as) with security function, and non-safety signal unit 7 is not had the control module 10 (abbreviating non-security control unit 10 as) of security function to control by one.
Safe and non-security control unit all is not directly connected on the fieldbus 4, but is directly connected to bus master controller 2 by the interface 12,14 that separates with fieldbus.
Fig. 2 illustrates in greater detail control system 1 by 3 exemplary signal elements.
Bus master controller 2 is standard G4 bus master controllers, is integrated in the interface module 16 with security control unit 8, and interface module 16 is forms of a push-in type module.In this embodiment, interface module 16 is IBS S7400ETH S DSC/I-T interbus interface modules.Therefore, the serial fieldbus be one based on the EN50254 standard or based on the interbus form of DIN 19258.Therefore, the safety engineering system forms as the integrated component of an interbus interface.According to the another one specific embodiment of the control system among Fig. 2, fieldbus 4 is designed to an industry ethernet.Specifically, industry ethernet can be a Fast Ethernet bus.
G4 bus master controller 2 has a multiport storage interface, and this interface is become to be used for the interface 12 of a control module 8 that security function arranged and is used for an interface 14 that does not have the control module 10 of security function by division of functionality.These interfaces 12,14 allow on the one hand between security control unit 8 and the bus master controller 2, allow to carry out respectively two-way communication 18,20 on the other hand between non-security control unit 10 and bus master controller 2.Therefore, according to the expansion of this specific embodiment, communication can realize that the interface 12,14 here is Ethernet interface in this case by Ethernet protocol.
Consistent with the present invention, the processing of control module 8,10 is independent of fieldbus at first in advance, because control module 8,10 is connected to the fieldbus main control unit 2 of the upstream of fieldbus connection 22.
Further with reference to figure 2, bus master controller 2 has an interbus agreement master chip (IPMS) 24.IPMS protocol chip 24 has a RS422 driver 28, and fieldbus signal insulate by DC, and for example, a photo-coupler 26 is connected to driver 28.
Interface module 16 also comprises two tie points, and with the form of a long-range interbus interface 22 serial fieldbus 4 that is used to circulate, long-range in this case interbus interface 22 is forms that DSUB inserts connector.
The bypass or the connection (not showing in the accompanying drawings) of a parameterisable are also arranged between security control unit 8 and non-security control unit 10.
This bypass allows non-security control unit 10 and security control unit 8 not to need the function of IPMS protocol chip 24 with regard to the energy swap data.
Therefore, in an emergency or event of failure, security control unit can be born the task of non-security control unit or the control of non-safe handling with bypass.A safety disconnection strategy (stop key 1 or 2) or an emergency circumstance operating function also can utilize this system to realize.
This close synchronization of the element of fieldbus master controller 2, security control unit 8 and non-security control unit 10 that comprises helps realizing more high efficiency execution and high level diagnosis.
Safety signal unit 6, another safety signal unit 32 and a non-safety signal unit 34 are connected in series to fieldbus 4.Signal element 6,32,34 also is linked to processing procedure 40,42,44, and these processing procedures are controlled and monitoring by control module 8,10 and corresponding signal element 6,32,34 by fieldbus 4.
About this point, processing procedure 40 and 42 is criticality safety processing procedures, and processing procedure 44 is non-critical safe handling processes.As an example, safety signal unit the 6, the 32nd, safe slave module SDIO4/4, they have an associated safety equipment 46,48 respectively, are used to handle the security control of criticality safety processing procedure 40,42.
For example, supervision that the criticality safety processing procedure may be an emergency closing function or a safety cage.Other signal elements and processing procedure also can be connected to fieldbus apparently.
Refer again to interface module 16, the latter has following mechanism.
The startup of fieldbus 4 and safety governor 8 comprises the reciprocity inspection that the following order of a foundation is carried out:
-security control unit 8 is carried out a self-test after startup, during this period, by interface 12 executive communications 18, for example use a reset line, keeps bus master controller 2 to be in reset mode.
-having only when security control unit 8 has completed successfully test, bus master controller 2 begins to operate.Therefore if security control unit 8 is removed or mistake occurred, bus master controller 2 startup that is under an embargo.When security control unit 8 had completed successfully detection, bus master controller 2 self was realized one from detecting.
-in bus master controller 2, successfully carrying out after detecting, bus master controller 2 sends to security control unit with its version identifier.The output stage of firmware detects by the suitable pick-up unit in the security control unit 8 in the interface module 16 then.
In addition, security control unit 8 is activated, and it has born the behavior of the bus master controller that comprises the security capabilities function.
In addition, have only that fieldbus 4 just is activated when security control unit 8 starts.
Because guaranteed the repeatedly inspection to safety kinetic energy, this itself has just reached suitable security effect.
With reference to the accompanying drawings 3 and 4, explained according to the present invention and to have realized extra improvement aspect safety and the reaction velocity.
Its reason is, the run duration in system, fieldbus cycle and security control cycle are carried out synchronously, this means fieldbus 4 do not keep continuing with security control unit 8 or continuous synchronous situation under can not move.
Fig. 3 shows a plurality of fieldbus cycles 50, and each fieldbus cycle is divided into the processing cycle 52 and the interbus I/O cycle 54 that are used for security control unit.In the interbus I/O cycle 54, data are sent to signal element 6,32,34.
Fig. 4 shows a fieldbus cycle 50 or shows in detail the interbus cycle or rather.About this point, the processing cycle 52 comprises field 106,132,134, each field respectively with signal element 6,32,34 in one interrelate, and comprise the control or the user data of signal element separately.Each field or user data fields be successively from a plurality of bus messages, for example from distinctly being that three bus messages of a bit are constructed.
Therefore, security control unit 8 provides user data and associated safety protocol data at data Layer, and via fieldbus, the associated safety protocol data is transmitted from bus master controller 2 as user data.Therefore, especially bus master controller 2 itself does not have security-related explanation.Its advantage is to use " non-safety " standard G4 bus master controller.
For the sequence and the design of field, same applicant's patent specification DE 197 42 716 C1 can be as reference.By utilizing, the four corner of this patent specification is as disclosed content.
Consistent with the present invention, similar to safety governor 8 also can act on non-safety governor 10 synchronously.This function can use " redundant (dead the man) " signal (for example triggering bit) from non-safety governor to safety governor to carry out.Such cascade has increased the transmission speed and the determinacy of system 1.
In addition, can also provide the individual programs of safety governor 8 to reset at run duration.Along with directly integrated and be connected to non-safety governor 10 or an overlapping network structure, can or carry out safety governor 8 in all operational phase expansions, especially when fieldbus 4 can not move.Therefore, can simplify visit at run duration or when network stops by reprogram to diagnostic data.With the systems compliant of file DE199 28 517 C2 suggestion, have only that this is only possible when fieldbus can move or can utilize an auxiliary network that is connected to safety governor.
In addition, the present invention allows the structure of other technologies security functions, these functions can only be used in the limited range that adopts the safety engineering system, and cascade or bus master controller 2 and the safety governor 8 of described safety engineering system by network disconnects coupling from interface module 16.
Refer again to Fig. 2, safety governor comprises two processors or CPU 62 and 64, and each processor is associated with a special criticality safety processing procedure.In this case, processor 62 control and treatment processes 40 and 42, processor 64 same control and treatment processes 40 and 42.If one in two processors 62 in the safety governor 8 and 64 is broken down, perhaps the safety engineering system is disturbed, safety governor 8 be provided so that it can continue the operation criticality safety processing procedure 40,42 is controlled, may be to carry out reciprocation with bus master controller, under other operating conditions of a kind of low level security, one " emergency running program ".
Especially, mutually adjusting between processor 62 and 64 or between other processors, if in processor 62 or 64 is broken down, system 1 can continue operation under an emergency running program.
For this reason, as an example, utilize parametrization to allow the mistake in 8 pairs of systems of security control unit to make a response.Below explained three kinds of possible mistakes, and the reaction or the function of system in this have been described by example.
Mistake A: non-safety governor 10 faults or malfunction.
System 1 can make such reaction to wrong A, utilizes safety governor 8 to share at least a portion of the control function of non-safety governor 10.
For this reason, the information of relevant mistake or fault sends to security control unit 8 from non-security control unit 10.A response procedures is born desired action then.
Mistake B: the CPU62 in the security control unit 8 breaks down.
Security control unit 8 is transformed into second operating conditions from first operating conditions, and continues to operate under a low level security.
In addition, information is sent to the criticality safety processing procedure of being controlled by operation CPU 64 42, shows that a mistake has taken place.For example in the time of an expection, a response procedures is born desired action.
Mistake C: the CPU64 in the security control unit 8 breaks down.
Security control unit 8 switches to second operating conditions from first operating conditions, and continues to operate under a low level security.
The operation of control system 1 is identical with the operation among the wrong B.
Therefore, when safety engineering components of system as directed fault, the operation of the remainder of bus master controller 2 and safety engineering system can continue operational system 1.Even when the safety engineering system only can move under a low level security, system 1 also can continue operation.
Below explaining with a concrete instance utilizes this emergency program or utilization in the advantage with safety control system of operating under two kinds of operating conditionss of different level of securitys.
System 1 is used for controlling a built on stilts middle cableway.
Up to the present, the fault of safety engineering system causes the transmission of cable car gondola to stop.The people that are being transmitted must be by ground or are rescued back from gondola in the air.This rescue has danger, for example frost when weather is abominable and wait for a long time, and the danger of being attempted to succour by helicopter can disproportionately increase in this case.
The solution of the present invention has reduced the possibility of overall failure.This is owing to have interface module 16 or have the system of the present invention of the network interface card of two kinds of operating conditionss to allow to continue operation under the second condition of a low level security as described above, this means at least to unload ropeway.Therefore for this operation under low level security provides preparation, to have the certain hour time limit.
To one skilled in the art, can be expressly understood very much specific embodiment by above example description.The present invention is not restricted to this, can carry out various variation on the basis that does not deviate from spirit of the present invention.

Claims (34)

1. one kind is come the control system (1) of Control Critical safe handling process (40,42) by fieldbus (4), comprising:
Fieldbus (4);
Be used for the bus master controller (2) by fieldbus (4) control communication (50), wherein said bus master controller (2) is non-safety bus master controller;
At least one signal element (6,32), be linked at least one criticality safety processing procedure (40,42), wherein bus master controller (2) and signal element (6,32) interconnect by fieldbus (4), and fieldbus (4) is used to provide the communication (50) between signal element (6,32) and the bus master controller (4);
First control module (8) that is used for Control Critical safe handling process (40,42);
Wherein signal element (6,32) and first control module (8) have associated safety equipment (46,48), for Control Critical safe handling process (40,42) provides anti-fault communication,
Wherein first control module (8) is connected to bus master controller (2) by the multiport storage interface (12,14) that separates with fieldbus (4) with being independent of fieldbus,
Wherein first control module (8) generates towards the agreement of safety and also will send to bus master controller (2) towards the agreement of safety.
2. control system as claimed in claim 1 (1), wherein bus master controller (2) and first control module (8) are by the interconnective independent component of first interface (12).
3. control system as claimed in claim 1 or 2 (1), wherein said bus master controller (2) connect by Ethernet and are connected with described first control module (8).
4. control system as claimed in claim 1 or 2 (1), wherein first control module (8) provides a security protocol for secure communication, and it is sent to bus master controller (2).
5. control system as claimed in claim 1 or 2 (1), wherein the data transmission between bus master controller (2) and first control module (8) is not by fieldbus (4).
6. control system as claimed in claim 1 or 2 (1), wherein bus master controller (2) has second interface (22) that is used for by fieldbus (4) I/O data, between first and second interfaces (12,22) is to isolate mutually.
7. control system as claimed in claim 1 or 2 (1), wherein first control module (8) is connected to the bus master controller (2) that fieldbus connects (21) upstream, this means that the associated safety data are anticipated.
8. control system as claimed in claim 1 or 2 (1), comprising an interface module (16), this interface module comprises described bus master controller (2) and described first control module (8).
9. control system as claimed in claim 1 or 2 (1), wherein first control module (8) control bus master controller (2).
10. control system as claimed in claim 1 or 2 (1), wherein first control module (8) automatically performs one from detection after unlatching, and makes bus master controller (2) invalid during detecting certainly.
11. control system as claimed in claim 1 or 2 (1), wherein bus master controller (2) is carried out one from detecting after unlatching.
12. control system as claimed in claim 11 is wherein carried out described from detecting after the detection certainly of bus master controller (2) in first control module (8).
13. control system as claimed in claim 1 or 2 (1), wherein up to after detection completes successfully certainly of the detection certainly of first control module (8) and/or bus master controller (2), bus master controller (2) just switches to an operating conditions.
14. control system as claimed in claim 1 or 2 (1), bus master controller (2) is just effective when wherein having only first control module (8) to start.
15. control system as claimed in claim 8 (1), wherein first control module (8) is in interface module (16) testing software, has only the security control that just starts criticality safety processing procedure (40,42) as the result when being sure.
16. control system as claimed in claim 1 or 2 (1), wherein the communication cycle ground via fieldbus (4) carries out, one-period (50) is divided into the processing cycle (52) and the bus cycles (54) that are used for first control module, data are transferred to signal element (40,42) by fieldbus (4) in these bus cycles.
17., wherein handle the cycle (52) and bus cycles (54) and synchronously carry out as the control system (1) of claim 16.
18. control system as claimed in claim 1 or 2 (1) is comprising at least one second control module (10), at least one non-critical safe handling process (44) provides non-security control.
19. control system as claimed in claim 7 (1) is comprising at least one second control module (10), at least one non-critical safe handling process (44) provides non-security control; And bus master controller (2) is communicated by letter with second control module (10) by one the 3rd interface (14), and wherein the second and the 3rd interface (22,14) is to isolate mutually.
20. control system as claimed in claim 19 (1), wherein said the 3rd interface (14) comprises an Ethernet interface.
21. control system as claimed in claim 18 (1), wherein when bus master controller (2) was invalid, first and second control modules were intercoursed data between (8,10).
22. control system as claimed in claim 18 (1), wherein non-security control synchronously realizes.
23. control system as claimed in claim 1 or 2 (1), at least one first safe operation condition and one second operating conditions wherein are provided, the level of security of described second operating conditions is lower than the level of security of first operating conditions, and first control module (8) is transformed into second operating conditions with control system (1) from first operating conditions when having predetermined safe information.
24. control system as claimed in claim 23 (1), wherein first control module (8) has at least two processors (62,64) of coordinating regularly each other, if these at least two processors (62,64) one in is broken down, and system is transformed into second operating conditions.
25. control system as claimed in claim 23 (1), wherein work as predetermined safe information by signal element (40,42) in one sends by fieldbus (4) and by first control module (8) when analyzing, first control module (8) is transformed into second operating conditions with control system (1) from first operating conditions.
26. control system as claimed in claim 23 (1), wherein second operating conditions has a time bar.
27. control system as claimed in claim 1 or 2 (1), wherein said fieldbus is based on the interbus of EN 50254 standards.
28. control system as claimed in claim 1 or 2 (1), wherein said fieldbus are industry ethernets.
29. the control system (1) by fieldbus (4) Control Critical safe handling process (40,42) comprising:
Fieldbus (4);
Be used for the bus master controller (2) by fieldbus (4) control communication (50), wherein said bus master controller (2) is non-safety bus master controller;
A plurality of signal elements (6,32,34), wherein at least one signal element is one the safety signal unit (6,32) that is linked in the criticality safety processing procedure (40,42); Wherein bus master controller (2) and signal element (6,32,34) interconnect by fieldbus (4), and wherein fieldbus (4) is used to provide communication between signal element (6,32,34) and the bus master controller (2);
One first control module (8);
Wherein, between first control module (8) and safety signal unit (6,32), provide anti-fault communication (50) for Control Critical safe handling process (40,42);
Wherein first control module (8) is connected to bus master controller (2) by the multiport storage interface (12,14) that separates with fieldbus (4);
Wherein first control module (8) generates one towards the agreement of safety and send it to bus master controller (2).
30. control system as claimed in claim 29 (1), wherein the communication (50) on the fieldbus (4) utilizes fieldbus message (106,132,134) processed, and utilize fieldbus message (106,132,134) will send to safety signal unit (6,32) from bus master controller (4) towards the agreement of safety.
31. as claim 29 or 30 described control system (1), wherein bus master controller (2) will directly and/or not need associated safety to be inserted into functionally in the fieldbus message (106,132,134) as user data towards the agreement of safety.
32. the control system (1) by fieldbus (4) Control Critical safe handling process (40,42) comprising:
First control module (8) of Control Critical safe handling process (40,42) has a signal element (6,32) that is linked to criticality safety processing procedure (40,42) by the I/O channel;
Fieldbus (4);
A bus master controller (2) that is used for by fieldbus (4) control communication (50),
Wherein bus master controller (2) and signal element (6,32) interconnect by fieldbus (4),
Wherein in order to ensure each other anti-fault communication, first control module (8) and signal element (6,32) have associated safety equipment (46,48);
Wherein fieldbus (4) provides periodic messaging service (106,132,134) between bus master controller that is connected to fieldbus (4) (2) and signal element (6,32,34),
Wherein first control module (8) is not directly connected to fieldbus (4), and anti-fault data (106,132,134) send to bus master controller from first control module (8) by a multiport storage interface (12,14), and wherein communication by fieldbus (4) is based on frame, for data being sent to signal element (6,32,34), bus master controller (2) will prevent that fault data is inserted in the fieldbus frame (50).
33. be used for as the control module of the described control system of any one claim of front (1) as first control module (8).
34. be applied to as a kind of module (16) in the described control system of any one claim (1) in the claim 1 to 32, comprise bus master controller (2) and first control module (8).
CN2004101033901A 2003-11-18 2004-11-18 Control system Active CN1661503B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE10353950.6 2003-11-18
DE10353950A DE10353950C5 (en) 2003-11-18 2003-11-18 control system

Publications (2)

Publication Number Publication Date
CN1661503A CN1661503A (en) 2005-08-31
CN1661503B true CN1661503B (en) 2010-09-29

Family

ID=34428793

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2004101033901A Active CN1661503B (en) 2003-11-18 2004-11-18 Control system

Country Status (5)

Country Link
US (1) US7269465B2 (en)
EP (1) EP1533673A3 (en)
JP (1) JP4504165B2 (en)
CN (1) CN1661503B (en)
DE (1) DE10353950C5 (en)

Families Citing this family (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3997988B2 (en) * 2001-05-31 2007-10-24 オムロン株式会社 Safety unit, controller system, controller connection method, and controller system control method
DE102004018642A1 (en) * 2004-04-16 2005-12-01 Sick Ag process control
DE102004034862A1 (en) * 2004-07-19 2006-03-16 Siemens Ag Automation system and input / output module for the same
JP3978617B2 (en) * 2005-04-19 2007-09-19 オムロン株式会社 Safety unit input device
JP4277030B2 (en) * 2006-06-30 2009-06-10 株式会社日立製作所 Communication control system
ATE416403T1 (en) * 2006-08-10 2008-12-15 Sick Ag PROCESS CONTROL
US7480536B2 (en) * 2006-09-21 2009-01-20 General Electric Company Method for assessing reliability requirements of a safety instrumented control function
US8761196B2 (en) * 2006-09-29 2014-06-24 Fisher-Rosemount Systems, Inc. Flexible input/output devices for use in process control systems
DE102006056420B4 (en) * 2006-11-28 2012-11-29 Wago Verwaltungsgesellschaft Mbh Security module and automation system
US7869889B2 (en) * 2008-07-02 2011-01-11 Saudi Arabian Oil Company Distributed and adaptive smart logic with multi-communication apparatus for reliable safety system shutdown
US7793774B2 (en) * 2008-07-29 2010-09-14 Hubbell Incorporated Lockout and monitoring system with SIL3 safety rating and method for lockout and monitoring
WO2010023545A1 (en) * 2008-08-29 2010-03-04 Phoenix Contact Development & Manufacturing, Inc. Inherently safe modular control system
DE102009042354C5 (en) 2009-09-23 2017-07-13 Phoenix Contact Gmbh & Co. Kg Method and device for safety-related communication in the communication network of an automation system
DE102009042368B4 (en) 2009-09-23 2023-08-17 Phoenix Contact Gmbh & Co. Kg Control system for controlling safety-critical processes
DE102009045901A1 (en) * 2009-10-21 2011-04-28 Endress + Hauser Process Solutions Ag Process control arrangement for a system of process and / or automation technology
DE102009054157C5 (en) * 2009-11-23 2014-10-23 Abb Ag Control system for controlling safety-critical and non-safety-critical processes
DE102010038484A1 (en) 2010-07-27 2012-02-02 Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V. Plant controlling method, involves transmitting error signal to output modules independent of fixed transmission sequence, and transferring control signal to plant in safe state based on error signal
US9459619B2 (en) * 2011-06-29 2016-10-04 Mega Fluid Systems, Inc. Continuous equipment operation in an automated control environment
DE102011051629B3 (en) * 2011-07-07 2012-08-30 Leuze Electronic Gmbh & Co. Kg Safety bus system has master and slave arrangement that transmits bus signals in form of data messages over bus lines, and safety monitor is provided for performing error checks
CN102799104B (en) * 2012-07-02 2014-12-24 浙江正泰中自控制工程有限公司 Safety control redundant system and method for fully-intelligent master control system
CN102915033A (en) * 2012-11-09 2013-02-06 三一重工股份有限公司 Vehicle fault diagnosing system and engineering machine
DE102014110017A1 (en) * 2014-07-16 2016-01-21 Phoenix Contact Gmbh & Co. Kg Control and data transmission system, gateway module, I / O module and process control process
DE102014112704B3 (en) 2014-09-03 2015-12-03 Phoenix Contact Gmbh & Co. Kg Network system and network subscribers for data transmission via a cloud infrastructure and establishment process
JP6742689B2 (en) * 2015-01-09 2020-08-19 株式会社ジェイテクト Operation program editing device and program
FI125862B (en) * 2015-01-28 2016-03-15 Kone Corp An electronic safety device and a conveyor system
DE102017002781A1 (en) 2016-05-02 2017-11-02 Sew-Eurodrive Gmbh & Co Kg Method for emergency shutdown of a bus system and bus system
DE102017109886A1 (en) * 2017-05-09 2018-11-15 Abb Ag Control system for controlling safety-critical and non-safety-critical processes with master-slave functionality
EP3644145A1 (en) * 2018-10-25 2020-04-29 ABB Schweiz AG Control system for controlling safety-critical and non-safety-critical processes
DE102019118452A1 (en) * 2019-07-08 2021-01-14 E-Service GmbH One-wire bus with one or more one-wire devices
CN112058047B (en) * 2020-08-12 2022-06-03 太仓北新建材有限公司 Gypsum board SOx/NOx control device and chain automatic control system thereof
US11774127B2 (en) 2021-06-15 2023-10-03 Honeywell International Inc. Building system controller with multiple equipment failsafe modes

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19928517C2 (en) * 1999-06-22 2001-09-06 Pilz Gmbh & Co Control system for controlling safety-critical processes
US6629166B1 (en) * 2000-06-29 2003-09-30 Intel Corporation Methods and systems for efficient connection of I/O devices to a channel-based switched fabric

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE3706325A1 (en) 1987-02-27 1988-09-08 Phoenix Elekt Control and data network
DE4032033A1 (en) * 1990-10-09 1992-04-16 Siemens Ag Electric control and monitoring for underground plant - triggering safety-relevant signals for transmission over independent paths and processing by redundant systems
US7203728B2 (en) * 1993-01-26 2007-04-10 Logic Controls, Inc. Point-of-sale system and distributed computer network for same
DE69736278T2 (en) * 1996-02-22 2007-06-06 Kvaser Consultant Ab Device for influencing messages in a CAN system
US6587474B1 (en) * 1996-09-07 2003-07-01 Bayerische Motoren Werke Aktiengesellschaft Data bus for multiple components
DE19643092C2 (en) * 1996-10-18 1998-07-30 Elan Schaltelemente Gmbh Field data bus system
US6999824B2 (en) * 1997-08-21 2006-02-14 Fieldbus Foundation System and method for implementing safety instrumented systems in a fieldbus architecture
DE19742716C5 (en) * 1997-09-26 2005-12-01 Phoenix Contact Gmbh & Co. Kg Control and data transmission system and method for transmitting safety-related data
JP4599013B2 (en) * 1999-08-23 2010-12-15 ピルツ ゲーエムベーハー アンド コー.カーゲー Method for setting safety station and safety control system using the same
US6697684B2 (en) * 2000-02-15 2004-02-24 Thomas Gillen Programmable field measuring instrument
US6999996B2 (en) * 2000-03-14 2006-02-14 Hussmann Corporation Communication network and method of communicating data on the same
US6267219B1 (en) * 2000-08-11 2001-07-31 Otis Elevator Company Electronic safety system for escalators
JP3997988B2 (en) * 2001-05-31 2007-10-24 オムロン株式会社 Safety unit, controller system, controller connection method, and controller system control method
CN1222138C (en) * 2001-05-31 2005-10-05 欧姆龙株式会社 Safety network system and safety slaves and safety controller and communication method and information gathering method and monitoring method in safety network system
US7054922B2 (en) * 2001-11-14 2006-05-30 Invensys Systems, Inc. Remote fieldbus messaging via Internet applet/servlet pairs

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19928517C2 (en) * 1999-06-22 2001-09-06 Pilz Gmbh & Co Control system for controlling safety-critical processes
US6629166B1 (en) * 2000-06-29 2003-09-30 Intel Corporation Methods and systems for efficient connection of I/O devices to a channel-based switched fabric

Also Published As

Publication number Publication date
CN1661503A (en) 2005-08-31
US20050149207A1 (en) 2005-07-07
DE10353950C5 (en) 2013-10-24
JP4504165B2 (en) 2010-07-14
EP1533673A2 (en) 2005-05-25
EP1533673A3 (en) 2009-04-01
DE10353950A1 (en) 2005-06-23
JP2005151581A (en) 2005-06-09
DE10353950B4 (en) 2008-05-08
US7269465B2 (en) 2007-09-11

Similar Documents

Publication Publication Date Title
CN1661503B (en) Control system
CN100480913C (en) Safety-oriented control system
CN105103061B (en) The method of control and data transmission set, processing unit and the process control for redundancy with dispersion redundancy
JP3827772B2 (en) Voting nodes for distributed control systems
JP3834105B2 (en) Fault-tolerant distributed control system
CN102725700B (en) Control system for controlling safety-critical and non-safety-critical processes
RU2656684C2 (en) Tire system and method of operation of such tire system
CN106716275B (en) Control and data transmission system, gateway module, input/output module and course control method for use
US7783814B2 (en) Safety module and automation system
US11487265B2 (en) Systems and methods for simultaneous control of safety-critical and non-safety-critical processes in automation systems using master-minion functionality
US20110098829A1 (en) Safety controller
JP2004246888A (en) Process control system with embedded safety system
US8559300B2 (en) Redundant communications network
US6871240B2 (en) Method of configuring a safe station and safe control system using the same
US20130315362A1 (en) Nuclear digital instrumentation and control system
US20180373213A1 (en) Fieldbus coupler and system method for configuring a failsafe module
US8259595B2 (en) Method and system for diagnosing external signal input/output units
JP2004227575A (en) Single signal transmission of safety-related process information
CN100498607C (en) Data transfer method and automation system used in said data transfer method
US20040008467A1 (en) Safety communication system
JP2013201664A (en) Redundant communication device
Armbruster et al. Ethernet-based and function-independent vehicle control-platform: motivation, idea and technical concept fulfilling quantitative safety-requirements from ISO 26262
CN111681792A (en) ATWT control device and nuclear power equipment
EP3555871B1 (en) Fire-prevention control unit
JPH09114507A (en) Duplex system for programmable logic controller

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant